I installed Crowdsec on my Mailcow server after this blog: Protecting mailcow with Crowdsec

Blog of vacum
Protecting mailcow with Crowdsec
Note: At the moment of publication the monitoring of the dovecot container is not working. A bugfix for that will come in the next release of crowdsec. I tried to find a nice description of mailcow on their website and this is the best I found :) > The mailserver suite with
Blog of vacum

You just have to adjust the names of the Mailcow containers in /etc/crowdsec/acquis.yaml to the current names but then it works perfectly. And it’s really impressive what Crowdsec finds. Mailcow’s netfilter is nice but it’s no comparison to what you can filter with Crowdsec. I highly recommend it. In my opinion, it’s a must-have for every Mailcow operator.

    Hmm… my main goal of hosting my own mail server was (and still is) to maintain my privacy. Installing crowdsec and therefore exposing my logs to a cloud service is somewhat counterproductive in my opinion…

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    And what private information goes to Crowdsec? That someone from the USA, China or wherever starts BF attacks, port scans or other scans on your server? What is so worth protecting about that? What is the alternative that you think is better?

    Example from today morning:

    Well, it’s basically a log parser which uploads information to the crowdsec cloud service to update the global blacklists. If that’s ok for you then go ahead, I’m just not a fan of services which don’t work on a local basis only.
    fail2ban is sufficient for me

    But I’ll have a deeper look into crowdsec, maybe I’m wrong about that 🙂

    Do you also check the Docker logs with Fail2ban? I tried to find information about it but unfortunately didn’t find much.

    8 months later

    Ganzjahresgriller You said this: /etc/crowdsec/acquis.yaml to the current names.
    I am having trouble knowing how to change this file to make it work.
    What did you change?
    Thanks

      My one:

      lines for mailcow

      source: docker
      container_name:

      • mailcowdockerized-nginx-mailcow-1
        labels:
        type: nginx

        source: docker
        container_name:
      • mailcowdockerized-dovecot-mailcow-1
      • mailcowdockerized-postfix-mailcow-1
        labels:
        type: syslog

        This works for me

        Ganzjahresgriller
        I’m getting errors in the log file:

        time="2025-04-13T10:15:44-04:00" level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type docker from /etc/crowdsec/acquis.yaml (position 0): while parsing DockerAcquisition configuration: yaml: unmarshal errors:\n  line 3: cannot unmarshal !!str `mailcow...` into []string\n  line 4: field type not found in type dockeracquisition.DockerConfiguration"

        acquis.yaml file:

        source: docker
container_name:
  mailcowdockerized-nginx-mailcow-1

labels:
type: nginx
---
source: docker
container_name:
  mailcowdockerized-dovecot-mailcow-1
  mailcowdockerized-postfix-mailcow-1
labels:
type: syslog
---

          Ganzjahresgriller
          After doing that then there is this log error:

          time="2025-04-14T07:23:17-04:00" level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type docker from /etc/crowdsec/acquis.yaml (position 0): while parsing DockerAcquisition configuration: yaml: unmarshal errors:\n  line 3: cannot unmarshal !!str `mailcow...` into []string\n  line 4: field type not found in type dockeracquisition.DockerConfiguration"

            Do you have installed the parsers?

            cscli parsers install crowdsecurity/docker-logs
            cscli collections install crowdsecurity/nginx
            cscli collections install crowdsecurity/postfix
            cscli collections install crowdsecurity/dovecot

              Ganzjahresgriller
              Yes I did:

              [root@mail multi-user.target.wants]# cscli parsers install crowdsecurity/docker-logs
Nothing to do.
[root@mail multi-user.target.wants]# cscli collections install crowdsecurity/nginx
Nothing to do.
[root@mail multi-user.target.wants]# cscli collections install crowdsecurity/postfix
Nothing to do.
[root@mail multi-user.target.wants]# cscli collections install crowdsecurity/dovecot
Nothing to do.

                @Ganzjahresgriller I think it’s because your post above wasn’t code formatted :/

                Here’s what you originally wanted to post I guess

                ---
# lines for mailcow
source: docker
container_name:
  - mailcowdockerized-nginx-mailcow-1
labels:
  type: nginx
---
source: docker
container_name:
  - mailcowdockerized-dovecot-mailcow-1
  - mailcowdockerized-postfix-mailcow-1
labels:
  type: syslog
---

                @maybl8 your file has the wrong syntax currently

                Ganzjahresgriller
                After changing the file I think we now have some success:

                time="2025-04-14T08:15:20-04:00" level=info msg="Enabled feature flags: none"
time="2025-04-14T08:15:20-04:00" level=info msg="Crowdsec v1.6.8-f209766ef"
time="2025-04-14T08:15:20-04:00" level=info msg="Loading prometheus collectors"
time="2025-04-14T08:15:20-04:00" level=info msg="Loading CAPI manager"
time="2025-04-14T08:15:23-04:00" level=info msg="CAPI manager configured successfully"
time="2025-04-14T08:15:23-04:00" level=info msg="Start push to CrowdSec Central API (interval: 11s once, then 10s)"
time="2025-04-14T08:15:23-04:00" level=info msg="Starting community-blocklist update"
time="2025-04-14T08:15:23-04:00" level=info msg="Start sending metrics to CrowdSec Central API (interval: 38m15s once, then 30m0s)"
time="2025-04-14T08:15:23-04:00" level=info msg="CrowdSec Local API listening on 127.0.0.1:8080"
time="2025-04-14T08:15:23-04:00" level=info msg="capi metrics: sending"
time="2025-04-14T08:15:23-04:00" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="2025-04-14T08:15:24-04:00" level=info msg="capi/community-blocklist : 0 explicit deletions"
time="2025-04-14T08:15:25-04:00" level=info msg="Loading enrich plugins"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'IpToRange'"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'ParseDate'"
time="2025-04-14T08:15:25-04:00" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2025-04-14T08:15:25-04:00" level=info msg="Loading parsers from 11 files"
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml stage=s01-parse
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml stage=s01-parse
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/postfix-logs.yaml stage=s01-parse
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml stage=s01-parse
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 12 nodes from 3 stages"
time="2025-04-14T08:15:25-04:00" level=info msg="No postoverflow parsers to load"
time="2025-04-14T08:15:25-04:00" level=info msg="Loading 53 scenario files"
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=lingering-breeze name=crowdsecurity/jira_cve-2021-26086
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=broken-sun name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=solitary-waterfall name=crowdsecurity/CVE-2022-26134
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=young-sun name=crowdsecurity/CVE-2024-9474
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=long-water name=crowdsecurity/nginx-req-limit-exceeded
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=empty-sound name=crowdsecurity/CVE-2019-18935
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=wild-sunset name=crowdsecurity/CVE-2022-42889
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=late-night name=crowdsecurity/CVE-2022-44877
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=billowing-darkness name=crowdsecurity/fortinet-cve-2018-13379
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=patient-cloud name=crowdsecurity/http-sensitive-files
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=aged-darkness name=crowdsecurity/http-generic-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=spring-paper name=LePresidente/http-generic-401-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=damp-cherry name=LePresidente/http-generic-403-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=spring-dream name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=holy-bird name=crowdsecurity/grafana-cve-2021-43798
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=lively-star name=crowdsecurity/http-wordpress-scan
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=hidden-wind name=crowdsecurity/ssh-slow-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=holy-tree name=crowdsecurity/ssh-slow-bf_user-enum
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=blue-forest name=crowdsecurity/vmware-cve-2022-22954
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=morning-glitter name=crowdsecurity/http-admin-interface-probing
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=small-water name=crowdsecurity/CVE-2022-46169-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=divine-night name=crowdsecurity/CVE-2022-46169-cmd
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=proud-breeze name=crowdsecurity/http-cve-2021-41773
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dark-smoke name=crowdsecurity/http-path-traversal-probing
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=nameless-thunder name=crowdsecurity/http-xss-probbing
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=purple-wildflower name=crowdsecurity/fortinet-cve-2022-40684
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=restless-meadow name=crowdsecurity/CVE-2022-41082
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=dawn-resonance name=crowdsecurity/http-cve-probing
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=weathered-darkness name=crowdsecurity/CVE-2022-37042
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dawn-firefly name=crowdsecurity/postfix-helo-rejected
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=green-surf name=crowdsecurity/http-bad-user-agent
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=bold-mountain name=crowdsecurity/postfix-relay-denied
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=restless-water name=crowdsecurity/CVE-2023-22515
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dark-mountain name=crowdsecurity/http-crawl-non_statics
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=old-sky name=crowdsecurity/CVE-2022-35914
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=crimson-moon name=crowdsecurity/postfix-non-smtp-command
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=lively-flower name=crowdsecurity/CVE-2023-49103
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=holy-paper name=crowdsecurity/CVE-2023-22518
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=falling-sunset name=crowdsecurity/http-cve-2021-42013
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=dark-glade name=ltsich/http-w00tw00t
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=long-snow name=crowdsecurity/CVE-2024-38475
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=quiet-tree name=crowdsecurity/ssh-cve-2024-6387
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=polished-shadow name=crowdsecurity/f5-big-ip-cve-2020-5902
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dark-sun name=crowdsecurity/http-backdoors-attempts
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=solitary-dawn name=crowdsecurity/http-sqli-probbing-detection
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=muddy-dream name=crowdsecurity/netgear_rce
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=broken-shape name=crowdsecurity/CVE-2022-41697
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=floral-meadow name=crowdsecurity/http-probing
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=holy-leaf name=crowdsecurity/http-open-proxy
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=dawn-water name=crowdsecurity/thinkphp-cve-2018-20062
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dawn-lake name=crowdsecurity/dovecot-spam
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=blue-sound name=crowdsecurity/apache_log4j2_cve-2021-44228
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=falling-snowflake name=crowdsecurity/spring4shell_cve-2022-22965
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=blue-snow name=crowdsecurity/postfix-spam
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=dry-sky name=crowdsecurity/postscreen-rbl
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=little-rain name=crowdsecurity/CVE-2017-9841
time="2025-04-14T08:15:25-04:00" level=info msg="Adding trigger bucket" cfg=winter-meadow name=crowdsecurity/CVE-2024-0012
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=morning-sound name=crowdsecurity/ssh-bf
time="2025-04-14T08:15:25-04:00" level=info msg="Adding leaky bucket" cfg=dark-firefly name=crowdsecurity/ssh-bf_user-enum
time="2025-04-14T08:15:25-04:00" level=info msg="Loaded 59 scenarios"
time="2025-04-14T08:15:25-04:00" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2025-04-14T08:15:25-04:00" level=info msg="Starting processing data"
time="2025-04-14T08:15:25-04:00" level=info msg="Starting docker acquisition" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="Container watcher started, interval: 1s" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="DockerSource Manager started" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="Starting docker acquisition" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="Container watcher started, interval: 1s" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="DockerSource Manager started" type=docker
time="2025-04-14T08:15:25-04:00" level=info msg="crowdsecurity/community-blocklist : added 15000 entries, deleted 0 entries (alert:1)"
time="2025-04-14T08:15:25-04:00" level=info msg="Start pull from CrowdSec Central API (interval: 1h56m2s once, then 2h0m0s)"
time="2025-04-14T08:15:26-04:00" level=info msg="start tail for container mailcowdockerized-nginx-mailcow-1" container_name=mailcowdockerized-nginx-mailcow-1 type=docker
time="2025-04-14T08:15:26-04:00" level=info msg="start tail for container mailcowdockerized-dovecot-mailcow-1" container_name=mailcowdockerized-dovecot-mailcow-1 type=docker
time="2025-04-14T08:15:26-04:00" level=info msg="start tail for container mailcowdockerized-postfix-mailcow-1" container_name=mailcowdockerized-postfix-mailcow-1 type=docker

                  Should I see items like these on the Crowdsec website?
                  How long before I see alerts? Or info from my server showing up?
                  Thanks

                  time="2025-04-14T12:58:34-04:00" level=info msg="(fb7cb0c0736f44bba24263df018c9e4eM4uKE8XjGk3zoHMr/crowdsec) crowdsecurity/postscreen-rbl by ip 152.32.207.150 (US/135377) : 4h ban on Ip 152.32.207.150"

                  I had to re enroll and then I started seeing data on the crowdsec website.
                  How do you guys use this information?

                  I had to re enroll and then I started seeing data on the crowdsec website.

                  • Yes but this is optional, you can see it on the Console too: cscli decision list
                    How do you guys use this information?
                  • Only for information

                  I would do this: dynamically increase ban time for recurring IPs. Is described here: andersgood.de Icon In 15 Minuten Linux-Server mit CrowdSec absichern | andersGOOD Blog

                  andersgood.de Icon andersgood.de
                  In 15 Minuten Linux-Server mit CrowdSec absichern | andersGOOD Blog
                  Schritt-für-Schritt Anleitung zur Einrichtung von CrowdSec, einem OpenSource-Tool zur Absicherung von Servern gegen schädliche Zugriffe aus dem Internet
                  andersgood.deandersgood.deandersgood.de
                  is a German webseite, use the translator of your choice. Has other tipps too, Em-Mail Notification …

                    Ganzjahresgriller
                    Do you guys have the email alerts being used?
                    I tried it but it sends an email for each alert and the same alert happens over and over sometimes. That’s too many emails .
                    Is there a way for it to collect several alerts and combine them into one email that sends maybe every hour or 2?
                    Thanks

                    Another question:
                    I went to my Crowdsec page and saw this message:

                    Monthly alert quota exhausted
Quota reset on 30th April

                    Do you guys get this message also?

                      No one is typing